b'           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n       ADMINISTRATIVE COSTS\n          CLAIMED BY THE\n       KENTUCKY DISABILITY\n      DETERMINATION SERVICES\n\n     February 2009   A-08-08-18059\n\n\n\n\nAUDIT REPORT\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xef\x81\xad Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xef\x81\xad Promote economy, effectiveness, and efficiency within the agency.\n  \xef\x81\xad Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xef\x81\xad Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xef\x81\xad Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xef\x81\xad Independence to determine what reviews to perform.\n  \xef\x81\xad Access to all information necessary for the reviews.\n  \xef\x81\xad Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                          SOCIAL SECURITY\nMEMORANDUM\n\nDate:   February 20, 2009                                                         Refer To:\n\nTo:     Paul D. Barnes\n        Regional Commissioner\n         Atlanta\n\nFrom:   Inspector General\n\nSubject: Administrative Costs Claimed by the Kentucky Disability Determination Services\n        (A-08-08-18059)\n\n\n        OBJECTIVE\n\n        For our audit of Federal Fiscal Years (FFY) 2005 and 2006 administrative costs claimed\n        by the Kentucky Disability Determination Services (KY-DDS), our objectives were to\n\n        \xef\x82\xb7     evaluate the Kentucky Cabinet for Health and Family Services\xe2\x80\x99 (KY-CHFS) and\n              KY-DDS\xe2\x80\x99 internal controls over the accounting and reporting of administrative costs;\n        \xef\x82\xb7     determine whether costs claimed by KY-DDS were allowable and funds were\n              properly drawn; and\n        \xef\x82\xb7     assess limited areas of the general security controls environment.\n\n        BACKGROUND\n        Disability determinations under the Social Security Administration\xe2\x80\x99s (SSA) Disability\n        Insurance and Supplemental Security Income programs are performed by disability\n        determination services (DDS) in each State or other responsible jurisdiction. Such\n        determinations are required to be performed in accordance with Federal law and\n        underlying regulations.1 Each DDS is responsible for determining claimants\xe2\x80\x99 disabilities\n        and assuring that adequate evidence is available to support its determinations. To\n        make proper disability determinations, each DDS is authorized to purchase consultative\n        examinations (CE) and medical evidence of record from the claimants\xe2\x80\x99\n\n\n\n\n        1\n            42 U.S.C. \xc2\xa7 421; 20 C.F.R. \xc2\xa7\xc2\xa7 404.1601 et seq. and 416.1001 et seq.\n\x0cPage 2 - Paul D. Barnes\n\n\nphysicians or other treating sources. SSA pays the DDS for 100 percent of allowable\nreported expenditures up to its approved funding authorization, based on a\nState Agency Report of Obligations for SSA Disability Programs (Form SSA-4513).\n\nKY-DDS, a division of KY-CHFS, is located in Frankfort, Kentucky, and its branch office\nis located in Louisville, Kentucky. KY-CHFS maintains KY-DDS\xe2\x80\x99 official accounting\nrecords and prepares its Form SSA-4513. For additional background, scope and\nmethodology, see Appendix B.\n\nRESULTS OF REVIEW\nKY-CHFS\xe2\x80\x99 and KY-DDS\xe2\x80\x99 internal controls over the accounting and reporting of\nadministrative costs for FFYs 2005 and 2006 were generally effective to ensure costs\nclaimed were allowable and funds were properly drawn. However, we determined that\nKY-DDS\xe2\x80\x99 inventory controls were not sufficient. We also determined that KY-DDS\xe2\x80\x99\ngeneral security controls and practices did not adequately protect claimant data or\nensure the ongoing security of personnel and property. In addition, KY-DDS\xe2\x80\x99\nSecurity Plan did not meet SSA requirements. Moreover, SSA policy for DDSs did not\nalways provide sufficient guidance.\n\nINVENTORY CONTROLS NEEDED IMPROVEMENT\n\nKY-DDS did not maintain accurate and complete inventory records of computer\nequipment.\n\n\xef\x82\xb7   We were unable to locate 26 (6.9 percent) of the 379 items randomly selected for\n    review.2 While most of the 26 missing items were office furniture, 7 were computers.\n    After our on-site inventory review, KY-DDS management advised us that they\n    located one computer and found documentation indicating three others were\n    surplused. However, KY-DDS management could not determine the status\n    (location) of two computers. Additionally, while they believed the final missing\n    computer had been surplused, they could not find evidence to verify this\n    determination. We do not know whether any of these computers contained\n    personally identifiable information (PII). However, KY-DDS told us they believed that\n    if the computers ever contained PII, it would have been erased\xe2\x80\x94as this is the DDS\xe2\x80\x99\n    customary practice when surplusing/disposing of computers.3\n\n\n\n\n2\n Of the 379 inventory items reviewed, we could not verify 13 (5.1 percent) of 255 items at Frankfort and\n13 (10.5 percent) of 124 items at Louisville.\n3\n We notified SSA\xe2\x80\x99s Atlanta Regional Office of the missing computer equipment. Within 24 hours of the\nnotification, the Regional Office informed KY-DDS to send a report of suspected loss of PII to the National\nComputer Service Center, which they did.\n\x0cPage 3 - Paul D. Barnes\n\n\n\xef\x82\xb7     We also determined KY-DDS did not always (1) account for and record equipment\n      SSA purchased, (2) accurately record the location of items, (3) remove items from\n      the inventory report that had been sold or surplused, or (4) identify the source of\n      funds used to purchase the equipment.\n\nSSA policy indicates that DDSs are responsible for inventory of all equipment\nacquired\xe2\x80\x94whether purchased through SSA or the State.4 In addition, policy requires\nthat DDSs record the description; source of funds used in the purchase (State or\nFederal); inventory or serial number; date purchased; and physical location, including\nbuilding address and room or floor location, for each inventory item.5 Policy also\nrequires that DDSs label equipment purchased with Federal trust funds to identify that it\nwas SSA-purchased.6 Because proper equipment accountability reduces the risk of\nloss or theft, we recommend SSA instruct KY-DDS to establish adequate internal\ncontrols over inventory to ensure that inventory records are reliable and maintained in\naccordance with SSA policy.\n\nGENERAL SECURITY CONTROLS WERE INSUFFICIENT\n\nKY-DDS\xe2\x80\x99 general security controls were insufficient, which increased the risk of\nunauthorized access and loss of sensitive information and equipment. While KY-DDS\nevaluated the Louisville office\xe2\x80\x99s security controls and created a Corrective Action Plan\nfor weaknesses identified, it did not prepare a Risk Assessment Plan. In addition, the\nFrankfort office\xe2\x80\x99s general security controls needed improvement, and KY-DDS did not\nprepare a Risk Assessment Plan for that office either.\n\nSSA provides DDSs with mandatory standards for maintaining and safeguarding the\nAgency\xe2\x80\x99s systems and claimant data, along with discretionary standards for protecting\nfacilities and personnel.7 SSA also requires that DDS management prepare a\nRisk Assessment Plan for any physical security guideline it cannot meet.8\n\nLouisville Office\xe2\x80\x99s Security Controls Were Not Adequate\n\nPhysical security controls at the building where the Louisville office is located did not\nadequately protect or limit access to DDS space. The Louisville office is located on four\nfloors in a privately owned multi-tenant building.\n\n\n\n\n4\n    SSA, Policy Operations Manual System (POMS), DI 39530.020A.1.\n5\n    SSA, POMS, DI 39530.020B.1.\n6\n    SSA, POMS, DI 39530.020B.2.\n7\n    SSA, POMS, DI 39567.001, 010 - 100, 315, 320, 325, and 340.\n8\n    SSA, POMS, DI 39567.155.C.\n\x0cPage 4 - Paul D. Barnes\n\n\nThe building was not protected with 24-hour security guard service and the building did\nnot have an intrusion detection system (IDS).9 Additionally, the perimeter walls were\nnot made of slab-to-slab construction,10 several perimeter doors did not have peepholes\nor non-rising/spot-welded hinges,11 and several utility boxes were not locked or\nsecured.12 The computer room walls were not constructed to prevent unauthorized\nentry. For example, the walls were not slab-to-slab construction and did not have a\nchain link fence, heavy wire mesh, or motion sensor devices in the space between the\nfalse ceiling and the true ceiling.13 Furthermore, an elevator on one floor opened\ndirectly into KY-DDS\xe2\x80\x99 area. KY-DDS positioned a security guard at the elevator to\nprevent unauthorized access during business hours, and KY-DDS management told us\nthey provided a stand-in for the guard when needed. Yet, during a site visit, we noted\nthat the security guard had stepped away from his post, but no alternate took his place.\n\nKY-DDS\xe2\x80\x99 access controls at the Louisville office were also inadequate because the DDS\ndid not change door codes when staff with knowledge of the codes left or no longer\nneeded to know them.14 In addition, KY-DDS did not adequately protect or limit access\nto claimant data at the Louisville office because it had not implemented a clean desk\npolicy and secured claimant records.15 As such, contracted personnel who cleaned the\noffice during non-business hours had access to sensitive areas and data.\n\nAs of our last visit, the Louisville office had not implemented the security measures\npreviously mentioned. KY-DDS recognized these limitations in its 2006 and\n2008 security reviews and stated in each year\xe2\x80\x99s Corrective Action Plan that they were\n\xe2\x80\x9creviewing the practice\xe2\x80\x9d or \xe2\x80\x9cconsidering a change.\xe2\x80\x9d However, KY-DDS has taken no\naction to reduce or eliminate these vulnerabilities and did not prepare a\nRisk Assessment Plan that addressed these issues. In fact, KY-DDS management told\nus they were unclear on SSA policy concerning the Risk Assessment Plan.\n\nWe recommend that SSA and KY-DDS timely reduce or eliminate the physical security\nissues identified at the Louisville office. Furthermore, SSA should instruct KY-DDS to\nimplement a clean desk policy and ensure that all door codes are changed when staff\nwith knowledge of the codes leave or no longer have a need to know the codes. We\nalso recommend SSA work with KY-DDS to develop a Risk Assessment Plan for the\nLouisville office.\n\n\n9\n    SSA, POMS, DI 39567.020E.\n10\n     SSA, POMS, DI 39567.015C.\n11\n     SSA, POMS, DI 39567.015A.\n12\n     SSA, POMS, DI 39567.015F.\n13\n     SSA, POMS, DI 39567.020G.5.\n14\n     SSA, POMS, DI 39567.040.B.\n15\n     SSA, POMS, DI 39567.020A and DI 39567.040C.\n\x0cPage 5 - Paul D. Barnes\n\n\nFrankfort Office\xe2\x80\x99s Security Controls Needed Improvement\n\nBecause KY-DDS uses an IDS and guard services at the Frankfort office, we believe\nthat the office\xe2\x80\x99s overall security controls were generally adequate. However, we found\nsome controls that needed improvement. SSA policy requires that DDSs adequately\nsafeguard systems, claimant information, and facilities to prevent unauthorized entry,\naccess, or disclosure. We found the following conditions at the Frankfort office.\n\n\xef\x82\xb7     Although KY-DDS installed an IDS at this facility in June 2007, management had not\n      scheduled any testing. SSA\xe2\x80\x99s DDS internal office security guidelines instruct DDSs\n      to test IDSs semiannually to ensure all sensors are working properly.16\n\xef\x82\xb7     KY-DDS kept its undistributed keys in an unlocked file in the Commissioner\xe2\x80\x99s staff\n      area. SSA\xe2\x80\x99s internal office security guidelines direct DDSs to limit possession of\n      office keys to management or individuals who must have them.17\n\xef\x82\xb7     KY-DDS\xe2\x80\x99 computer room did not have slab-to-slab construction to prevent\n      unauthorized entry, and the DDS did not use an alternate measure, such as\n      installing chain link fences, heavy wire mesh, or motion sensor devices in the space\n      between the facility\xe2\x80\x99s false ceiling and the true ceiling.18\n\xef\x82\xb7     Three utility boxes were unlocked. SSA\xe2\x80\x99s perimeter office security guidelines\n      instruct DDSs to keep utility boxes locked to prevent tampering.19\n\xef\x82\xb7     The DDS had not tested its uninterruptible power supply (UPS). Without testing its\n      UPS, KY-DDS could not ensure power would be adequate for orderly shutdown.20\n\xef\x82\xb7     Management was unclear on policy regarding the Risk Assessment Plan and had\n      not prepared one for the Frankfort office.\n\nWe discussed these security control issues with KY-DDS management, who generally\nagreed to correct each. However, KY-DDS management stated that it would be costly\nfor the building owner to raise the wall in the computer room. We recommend SSA\nwork with KY-DDS to ensure the above security control issues are addressed and\ndevelop a Risk Assessment Plan for the Frankfort office.\n\n\n\n\n16\n     SSA, POMS, DI 39567.020E.1.\n17\n     SSA, POMS, DI 39567.040A.\n18\n     SSA, POMS, DI 39567.020G.5.\n19\n     SSA, POMS, DI 39567.015F.\n20\n  U.S. Government Accountability Office\xe2\x80\x99s (formerly known as the General Accounting Office)\nFederal Information System Controls Audit Manual, GAO/AIMD-12.19.6, p. 130 January 1999.\n\x0cPage 6 - Paul D. Barnes\n\n\nSECURITY PLAN NOT ADEQUATE\n\nKY-DDS\xe2\x80\x99 Security Plan for Frankfort and Louisville did not adequately meet SSA\nrequirements. In addition, the Security Plan only contained six of the eight required\nparts, and these parts did not include all the required elements.21 Parts D (Systems\nReview/Recertification Plan [Technical Security]) and H (Risk Assessment/Exceptions)\nwere missing from the Security Plan. Part A (Physical Security DDS Description/Profile)\ndid not disclose the size of the office,22 and Part G (Disaster Recovery Plan) did not cite\nthe local resources needed to operate in the event of a disaster.23 After discussing the\nSecurity Plan\xe2\x80\x99s missing parts and elements, KY-DDS management stated they will\nrevise the Security Plan. We recommend SSA ensure KY-DDS submits a revised\nSecurity Plan that meets the Agency\xe2\x80\x99s requirements.\n\nDISABILITY DETERMINATION SERVICES\xe2\x80\x99 RESPONSIBILITY OVER EQUIPMENT\nRENTALS\n\nBecause the contract was between the Commonwealth of Kentucky and the vendor,\nKY-CHFS believed SSA was not a party to the equipment rental agreement. However,\nSSA funds were used for these expenditures. In addition, KY-DDS management told us\nthey were unclear with regard to their responsibility over rental equipment.\n\nWe recommend that the Atlanta Regional Office work with SSA\xe2\x80\x99s Office of Disability\nDeterminations to review policy concerning SSA-funded rental equipment and revise it,\nwhere necessary, to provide specific guidance on DDS responsibilities. In addition, it is\nessential that this guidance specify whether DDSs should retain documentation\nregarding SSA approval, and if so, the retention period. Currently, State agencies are\nrequired to retain financial records and supporting documents pertinent to disability\ndeterminations for 3 years or until a Federal audit has been performed and all findings\nresolved.24 We believe the Agency should consider a similar retention period.\n\nDISABILITY DETERMINATION SERVICES\xe2\x80\x99 RESPONSIBILITY OVER EMPLOYEE\nTRAVEL\n\nWhile policy requires that DDSs obtain SSA Regional Office approval before staff\ntravels to National Association of Disability Examiners (NADE) meetings,25 KY-DDS was\nunable to provide documentation that supported SSA\xe2\x80\x99s approval for staff traveling to a\nNADE meeting. KY-DDS management and SSA\xe2\x80\x99s Disability Program Administrator\nagreed prior approval was obtained. However, no documentation was retained. We\n\n21\n     SSA, POMS, DI 39567.160B.\n22\n     SSA, POMS, DI 39567.165.2.\n23\n     SSA, POMS, DI 39567.195D.\n24\n     SSA, POMS, DI 39509.005C.1.\n25\n     SSA, POMS, DI 39524.001C.2.\n\x0cPage 7 - Paul D. Barnes\n\n\nrecommend that the Atlanta Regional Office work with SSA\xe2\x80\x99s Office of Disability\nDeterminations to clarify in policy whether documentation should be retained regarding\nSSA approval, and if so, the retention period for these approvals.\n\nPOLICY SILENT ON DISABILITY DETERMINATION SERVICES VERIFYING THAT\nMEDICAL CONSULTANTS HAVE NOT BEEN SANCTIONED\n\nSSA policy does not require that DDSs review the U.S. Department of Health and\nHuman Services, Office of Inspector General, List of Excluded Individuals/Entities to\nensure medical consultants are not included on the list. This list identifies individuals\nand entities that are sanctioned from participating in any Federal or federally assisted\nprogram. We believe DDSs should be required to consult this list before retaining the\nservices of all medical consultants. Therefore, we recommend the Atlanta Regional\nOffice work with SSA\xe2\x80\x99s Office of Disability Determinations to establish such a policy.\n\nCONCLUSION AND RECOMMENDATIONS\nKY-CHFS and KY-DDS generally had effective controls over the accounting and\nreporting of administrative costs for FFYs 2005 and 2006. However, our review of\nKY-DDS\xe2\x80\x99 controls over physical security and inventory disclosed that the DDS could be\nvulnerable to unauthorized access and loss of sensitive information and equipment. In\naddition, KY-DDS did not have an adequate Security Plan. Furthermore, we found SSA\nneeded to enhance its guidance to DDSs.\n\nWe recommend SSA\xe2\x80\x99s Atlanta Regional Office:\n\n1. Instruct KY-DDS to establish adequate internal controls over inventory to ensure that\n   inventory records are reliable and maintained in accordance with SSA policy.\n2. Work with KY-DDS to timely reduce or eliminate the Louisville office\xe2\x80\x99s physical\n   security control weaknesses.\n3. Instruct KY-DDS to change door codes at the Louisville office when staff with\n   knowledge of the codes leave or no longer have a need to know them.\n4. Instruct KY-DDS to implement a clean desk policy at the Louisville office.\n5. Instruct KY-DDS to test the Frankfort office\xe2\x80\x99s IDS semiannually.\n6. Instruct KY-DDS to keep the Frankfort office\xe2\x80\x99s undistributed keys in a locked drawer\n   or cabinet.\n7. Work with KY-DDS to enhance security controls for the Frankfort office\xe2\x80\x99s computer\n   room and utility boxes.\n8. Instruct KY-DDS to routinely test the Frankfort office\xe2\x80\x99s UPS.\n9. Ensure KY-DDS establishes a Security Plan, which meets SSA requirements, for the\n   Frankfort and Louisville offices\xe2\x80\x94this includes developing Risk Assessment Plans for\n   each office\xe2\x80\x99s physical security vulnerabilities.\n\x0cPage 8 - Paul D. Barnes\n\n\nWe also recommend the Atlanta Regional Office work with SSA\xe2\x80\x99s Office of Disability\nDeterminations to:\n\n10. Revise and/or clarify policy regarding DDS responsibility in obtaining prior approvals\n    and document retention for equipment rentals.\n11. Revise and/or clarify policy regarding DDS responsibility in obtaining prior approvals\n    and document retention for DDS staff travel to NADE conferences.\n12. Establish policy that requires DDSs to review U.S. Department of Health and Human\n    Services, Office of Inspector General, List of Excluded Individuals/Entities to\n    determine whether medical consultants have been sanctioned from participating in\n    any Federal or federally assisted program.\n\nAGENCY COMMENTS AND OIG RESPONSE\nSSA agreed with our recommendations. We appreciate that the Regional Office\nprovided guidance to the DDS for Recommendations 10 through 12; however, we\nbelieve the region needs to work with SSA\xe2\x80\x99s Office of Disability Determinations to\n\xe2\x80\x9cdocument\xe2\x80\x9d these policies so all DDSs will be held to the same standards. The full text\nof SSA\xe2\x80\x99s and KY-CHFS\xe2\x80\x99 comments are included in Appendices D and E.\n\nOTHER MATTER\nCLAIMANTS\xe2\x80\x99 PERSONALLY IDENTIFIABLE INFORMATION DISCLOSED TO THIRD\nPARTIES WHO MAY NOT NEED TO KNOW\n\nKY-DDS routinely disclosed disability claimants\xe2\x80\x99 PII to vendors. During the disability\ndetermination process, KY-DDS purchases services that include medical evidence (CE\nand medical evidence of record) and claimant travel. Our review of medical and\napplicant travel invoices revealed that these documents contained PII including names,\naddresses, dates of birth, Social Security numbers (SSN), and telephone numbers.\nAlthough we have no reason to believe this information had been abused, this practice\npotentially could result in the misuse of claimants\xe2\x80\x99 PII.\n\nFederal guidance dictates that agencies should reduce their current holdings of all PII to\nthe minimum necessary for the proper performance of a documented agency function.26\nAgencies must also review their use of SSNs in agency systems and programs to\nidentify instances in which collection and use of the SSN is superfluous.27\n\n\n\n26\n  Office of Management and Budget (OMB) Memorandum M-07-16, Attachment 1 \xc2\xa7 B.1.a. This\nMemorandum (page 2) also indicates a few simple and cost-effective steps to greatly reduce the risks\nrelated to a data breach of PII, such as limiting access to only those individuals who must have such\naccess. Access is defined as the ability or opportunity to gain knowledge of PII.\n27\n     OMB Memorandum M-07-16, Attachment 1 \xc2\xa7 B.2.a.\n\x0cPage 9 - Paul D. Barnes\n\n\nOn October 5, 2007, SSA\xe2\x80\x99s Office of Disability Determinations informed Regional\nOffices that DDSs should review their processes to eliminate the use of SSNs on\ncorrespondence where possible. Given the prevalence of identity theft, we encourage\nKY-CHFS and KY-DDS to take steps to limit the disclosure of PII (in particular, redact or\ntruncate claimants\xe2\x80\x99 SSNs) in all third-party correspondence.\n\n\n\n                                                S\n                                                Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                      Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\n\nAPPENDIX B \xe2\x80\x93 Background, Scope and Methodology\n\nAPPENDIX C \xe2\x80\x93 Schedule of Total Costs Reported on Form SSA-4513\xe2\x80\x94State Agency\n             Report of Obligations for Social Security Administration Disability\n             Programs\nAPPENDIX D \xe2\x80\x93 Agency Comments\n\nAPPENDIX E \xe2\x80\x93 Kentucky Cabinet for Health and Family Services Comments\n\nAPPENDIX F \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                             Appendix A\n\nAcronyms\nAct        Social Security Act\nC.F.R.     Code of Federal Regulations\nCE         Consultative Examination\nDDS        Disability Determination Services\nDI         Disability Insurance\nFFY        Federal Fiscal Year\nIDS        Intrusion Detection System\nKY-CHFS    Kentucky Cabinet for Health and Family Services\nKY-DDS     Kentucky Disability Determination Services\nNADE       National Association of Disability Examiners\nOMB        Office of Management and Budget\nOIG        Office of the Inspector General\nPII        Personally Identifiable Information\nPOMS       Policy Operations Manual System\nSSA        Social Security Administration\nSSI        Supplemental Security Income\nSSN        Social Security Number\nUPS        Uninterruptible Power Source\n\nFORM\n\nSSA-4513   State Agency Report of Obligations for SSA Disability Programs\n\x0c                                                                          Appendix B\n\nBackground, Scope and Methodology\nBACKGROUND\n\nThe Disability Insurance (DI) program, established under Title II of the Social Security\nAct (Act), provides benefits to wage earners and their families in the event the wage\nearner becomes disabled. The Supplemental Security Income (SSI) program,\nestablished under Title XVI of the Act, provides benefits to financially needy individuals\nwho are aged, blind, and/or disabled.\n\nThe Social Security Administration (SSA) is responsible for implementing policies for the\ndevelopment of disability claims under the DI and SSI programs. Disability\ndeterminations under both the DI and SSI programs are performed by disability\ndetermination services (DDS) in each State, Puerto Rico, and the District of Columbia.\nSuch determinations are required to be performed in accordance with Federal law and\nunderlying regulations.1 In carrying out its obligation, each DDS is responsible for\ndetermining claimants\xe2\x80\x99 disabilities and ensuring that adequate evidence is available to\nsupport its determinations. To assist in making proper disability determinations, each\nDDS is authorized to purchase medical examinations, X-rays, and laboratory tests on a\nconsultative basis to supplement evidence obtained from the claimants\xe2\x80\x99 physicians or\nother treating sources.\n\nSSA reimburses the DDS for 100 percent of allowable reported expenditures up to its\napproved funding authorization. The DDS withdraws Federal funds through the\nDepartment of the Treasury\xe2\x80\x99s Automated Standard Application for Payments System to\npay for program expenditures. Funds drawn down must comply with Federal\nregulations2 and intergovernmental agreements entered into by the Department of the\nTreasury and States under the Cash Management Improvement Act of 1990.3 An\nadvance or reimbursement for costs under the program must comply with Office of\nManagement and Budget (OMB) Circular A-87, Cost Principles for State, Local, and\nIndian Tribal Governments. At the end of each quarter of the Federal Fiscal Year\n(FFY), each DDS submits a State Agency Report of Obligations for SSA Disability\nPrograms (Form SSA-4513) to account for program disbursements and unliquidated\nobligations.\n\n\n\n\n1\n    42 U.S.C. \xc2\xa7 421; 20 C.F.R. \xc2\xa7\xc2\xa7 404.1601 et seq. and 416.1001 et seq.\n2\n    31 C.F.R. Part 205.\n3\n    Pub.L. No. 101-453.\n\n\n                                                   B-1\n\x0cSCOPE\n\nTo accomplish our objectives, we reviewed the administrative costs Kentucky Disability\nDetermination Services (KY-DDS) reported on its Form SSA-4513 for FFYs 2005 and\n2006. For the periods reviewed, we obtained evidence to evaluate recorded financial\ntransactions and determine whether they were allowable under OMB Circular A-87 and\nappropriate, as defined by SSA\xe2\x80\x99s Program Operations Manual System (POMS).\n\nWe also:\n\n\xef\x82\xb7   Reviewed applicable Federal laws, regulations and pertinent parts of POMS\n    DI 39500, DDS Fiscal and Administrative Management, and other instructions\n    pertaining to administrative costs incurred by KY-DDS and draw down of SSA funds.\n\xef\x82\xb7   Interviewed Kentucky Cabinet for Health and Family Services and KY-DDS staff and\n    corresponded with SSA Regional Office personnel.\n\xef\x82\xb7   Evaluated and tested internal controls regarding accounting and financial reporting\n    and cash management activities.\n\xef\x82\xb7   Verified the reconciliation of official State accounting records to the administrative\n    costs reported by KY-DDS on Form SSA-4513 for FFYs 2005 and 2006.\n\xef\x82\xb7   Examined the administrative expenditures (personnel, medical service, and all other\n    non-personnel costs) incurred and claimed by KY-DDS for FFYs 2005 and 2006 on\n    Form SSA-4513.\n\xef\x82\xb7   Examined the indirect costs claimed by KY-DDS for FFYs 2005 and 2006 and the\n    corresponding Indirect Cost Rate Agreements.\n\xef\x82\xb7   Compared the amount of SSA funds drawn to support program operations to the\n    allowable expenditures reported on Form SSA-4513.\n\xef\x82\xb7   Reviewed the State of Kentucky Single Audit reports issued in 2005 and 2006.\n\xef\x82\xb7   Conducted limited general control testing\xe2\x80\x94which encompassed reviewing the\n    physical access security in the DDS.\n\nThe electronic data used in our audit were sufficiently reliable to achieve our audit\nobjectives. We assessed the reliability of the electronic data by reconciling them with\nthe costs claimed on the Form SSA-4513. We also conducted detailed audit testing on\nselected data elements in the electronic data files.\n\nWe performed our audit at the KY-DDS in Frankfort and Louisville, Kentucky, and the\nOffice of Audit in Birmingham, Alabama, from March through September 2008. We\nconducted our audit in accordance with generally accepted government auditing\nstandards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe the evidence obtained provides\na reasonable basis for our findings and conclusions based on our audit objectives.\n\n\n                                             B-2\n\x0cMETHODOLOGY\n\nOur sampling methodology encompassed the four general areas of costs as reported on\nForm SSA-4513: (1) personnel, (2) medical, (3) indirect, and (4) all other non-personnel\ncosts. We obtained computerized data from KY-DDS for FFYs 2005 and 2006 for use\nin statistical sampling. Also, we reviewed general security controls the DDS had in\nplace.\n\nPersonnel Costs\n\nWe sampled 50 employee salary items from 1 randomly selected pay period in\nFFY 2006. We tested regular and overtime payroll and hours for each individual\nselected. We verified that approved time records were maintained and supported the\nhours worked. We tested payroll records to ensure KY-DDS correctly paid employees\nand adequately documented these payments.\n\nWe reviewed all 39 medical consultants\xe2\x80\x99 costs from 1 randomly selected pay period in\nFFY 2006. We determined whether sampled costs were reimbursed properly and\nensured the selected medical consultants were licensed.\n\nMedical Costs\n\nWe sampled a total of 100 medical evidence of records and consultative examination\nrecords (50 items from each FFY) using a proportional random sample. We determined\nwhether sampled costs were properly reimbursed.\n\nIndirect Costs\n\nWe reviewed the indirect cost base and computations used to determine those costs for\nreimbursement purposes. Our objective was to ensure SSA reimbursed KY-DDS in\ncompliance with the approved Indirect Cost Rate Agreement. We analyzed the\napproved rate used, ensuring the indirect cost rate changed when the Indirect Cost\nRate Agreement was modified. We reviewed the documentation and traced the base\namounts to Form SSA-4513 for the indirect cost computation components. We\ndetermined whether the approved rate used was a provisional, predetermined, fixed, or\nfinal rate.\n\n\n\n\n                                          B-3\n\x0cAll Other Non-Personnel Costs\n\nWe stratified all other non-personnel costs into nine categories: (1) Occupancy,\n(2) Contracted Costs, (3) Electronic Data Processing Maintenance, (4) Equipment\nPurchases and Rental, (5) Communications, (6) Applicant Travel, (7) DDS Travel,\n(8) Supplies, and (9) Miscellaneous. We selected a stratified random sample of\n50 items from each FFY based on the percentage of costs in each category (excluding\nthe rent portion of Occupancy) to total costs. We also performed a 100 percent review\nof the rent portion of Occupancy expenditures.\n\nGeneral Security Controls\n\nWe conducted limited general security control testing. Specifically we reviewed the\nfollowing eight areas relating to general security controls: (1) Perimeter Security,\n(2) Intrusion Detection, (3) Key Management, (4) Internal Office Security, (5) Equipment\nRooms, (6) Security Plan, (7) Continuity of Operations, and (8) Other Security Issues.\nWe determined whether the general security controls the DDS had in place were\nsatisfactory.\n\nINVENTORY\n\nWe reviewed 25 percent of KY-DDS\xe2\x80\x99 inventory items. We used KY-DDS\xe2\x80\x99 current listing\nof equipment purchased to randomly select our sample items. We selected 255 items\nfor Frankfort and 124 for Louisville. For each sample item, we determined whether the\nitem was currently at the location listed or KY-DDS had disposal documentation to\nsupport its prior existence.\n\n\n\n\n                                          B-4\n\x0c                                                      Appendix C\n\nSchedule of Total Costs Reported on Form SSA-\n4513\xe2\x80\x94State Agency Report of Obligations for Social\nSecurity Administration Disability Programs\n             Kentucky Disability Determination Services\n\n         FEDERAL FISCAL YEARS (FFY) 2005 and 2006 COMBINED\n                                    UNLIQUIDATED        TOTAL\n REPORTING ITEMS   DISBURSEMENTS    OBLIGATIONS      OBLIGATIONS\nPersonnel            $47,639,421           $0        $47,639,421\nMedical               18,838,195       10,100         18,848,295\nIndirect               4,460,903            0          4,460,903\nAll Other              9,196,399      127,926          9,324,325\nTOTAL                $80,134,918     $138,026        $80,272,944\n\n                              FFY 2005\n                                    UNLIQUIDATED        TOTAL\n REPORTING ITEMS   DISBURSEMENTS    OBLIGATIONS      OBLIGATIONS\nPersonnel            $23,601,423          $0         $23,601,423\nMedical                9,305,310           0           9,305,310\nIndirect               2,291,485           0           2,291,485\nAll Other              5,119,460           0           5,119,460\nTOTAL                $40,317,678          $0         $40,317,678\n                              FFY 2006\n                                    UNLIQUIDATED        TOTAL\n REPORTING ITEMS   DISBURSEMENTS    OBLIGATIONS      OBLIGATIONS\nPersonnel            $24,037,998           $0        $24,037,998\nMedical                9,532,885       10,100          9,542,985\nIndirect               2,169,418            0          2,169,418\nAll Other              4,076,939      127,926          4,204,865\nTOTAL                $39,817,240     $138,026        $39,955,266\n\x0c                  Appendix D\n\nAgency Comments\n\x0c                              SOCIAL SECURITY\n\n                                                  Refer To: J. Irwin 2-1407\n\nMEMORANDUM\n\nDate:    January 16, 2008\n\nTo:     Inspector General\n\nFrom:   Regional Commissioner\n        Atlanta\n\nSubject: Administrative Costs Claimed by the Kentucky Disability\n         Determinations Services (A-08-08-18059)\n\nThank you for the opportunity to comment on the findings and the\nrecommendations presented in your draft report of the Kentucky Disability\nDeterminations Services (KY DDS). We believe that the Office of Inspector\nGeneral (OIG) Audit regarding internal controls over the accounting and reporting\nof administrative costs, the proper drawdown of funds, the accuracy of costs\nclaimed, and the assessment of the KY DDS\xe2\x80\x99 limited areas of general security\ncontrols environment , was detailed and thorough.\n\nSpecifically, our comments on the twelve recommendations are as follows:\n\n1. Instruct KY-DDS to establish adequate internal controls over inventory to\n   ensure that inventory records are reliable and maintained in accordance with\n   SSA policy.\n\nWe agree with the recommendation. KY has taken action to resolve this issue.\nDuring the OIG audit, the KY DDS was not able to locate seven items identified\nas computer equipment that may contain Personally Identifiable Information (PII).\nThe seven items were initially believed to consist of three servers, three\nworkstations and one laptop computer. A PII report was made 12/4/08 to the\nNCSC based on an example provided to the DDS by OIG from a similar review\n(CAPRS # 740977). After a records search, the DDS was able to locate\ninventory records for all but two of the computers; however, DDS review\nindicates that it is highly unlikely that any PII was actually compromised.\nThe KY DDS stated that a process has been implemented to ensure that internal\ncontrols over inventory are reliable and maintained in accordance with SSA\npolicy. The KY DDS met with Parent Agency representatives to develop a\nprocess that would improve inventory controls. The Parent Agency has given the\nDDS more direct control over inventory management. In December, 2008, the\n\n\n                                       D-1\n\x0cDDS created a team of six employees, led by an Inventory Delegated Authority,\nwho will manage all DDS inventory. These six employees have each completed\ntwo state sponsored training classes on the state accounting system (eMars).\nThe team is in the process of tagging and entering all of the KY DDS\xe2\x80\x99 fixed\nassets into eMars. No further action is required.\n\n\n2. Work with KY DDS to timely reduce or eliminate the Louisville office\xe2\x80\x99s\n   physical security control weaknesses.\nWe agree with this recommendation. KY has been provided clarification on\nSSA\xe2\x80\x98s physical security policy for preparing Risk Assessment Plans for all\noffices. Most of the information for the KY DDS Security Plan exists; however, it\nhad not been put into the most current format. The KY DDS Security Officer is\nreviewing current security plans to ensure that they meet SSA\xe2\x80\x99s requirement, this\naction will be completed before March 31, 2009.\n KY has requested funding for the security equipment that will address the\nLouisville Office\xe2\x80\x99s physical security control weaknesses cited in the OIG report.\nThe Region has approved the request and forwarded it to the Office of Disability\nDeterminations (ODD) for review and funding. The request includes a door\naccess system for the entire office, an intrusion detection system (IDS), security\ncameras, and partition walls and doors. The total cost of the project is estimated\nto be $35,875. We will continue to work with KY until the project is completed.\n\n3. Instruct KY DDS to change door codes at the Louisville office when staff\n   with knowledge of the codes leaves or no longer has the need to know\n   them.\nWe agree with this recommendation. In January 2008, Kentucky implemented a\npolicy to change door codes every quarter or sooner if an employee leaves the\nDDS. The Louisville office manager will ensure that action is taken to change the\ndoor codes quarterly and/or when someone leaves the Louisville office. Funding\nhas been requested and, forwarded to ODD, to make changes to have a badge\naccess system on all doors. We will continue to work with the DDS until the\nbadge access system is completed.\n4. Instruct the KY DDS to implement a clean desk policy at the Louisville\n   office.\nWe agree with this recommendation. The KY DDS has already implemented a\nclean desk policy at the Frankfort and Louisville offices. No further action is\nnecessary.\n5. Instruct KY DDS to test the Frankfort offices IDS semi-annually.\nWe agree with this recommendation. KY DDS has already implemented a policy\nto have office IDS equipment tested semi-annually. On January 12, 2009, a\nrepresentative from the KY DDS\xe2\x80\x99 security vendor performed a test of all IDS\n\n\n\n                                       D-2\n\x0cequipment in the Frankfort office. This will be performed semi-annually as\nrecommended by OIG. No further action is necessary.\n\n6. Instruct the KY DDS to keep the Frankfort office\xe2\x80\x99s undistributed keys in\n   a locked drawer or cabinet.\nWe agree with this recommendation. The KY DDS has already implemented a\npolicy to keep undistributed keys secure. The DDS has organized all of the\nundistributed keys and they are now kept in a locked cabinet in the Building\nManager\xe2\x80\x99s office. The Building Manager\xe2\x80\x99s office is locked when it is not\noccupied. No further action is necessary.\n\n7. Work with the KY DDS to enhance security controls for the Frankfort\n   office\xe2\x80\x99s computer room and utility boxes.\nWe agree with this recommendation. KY has already taken action to secure the\nFrankfort computer room and utility boxes. The DDS has requested funding for\nthe installation of motion detectors for the Frankfort computer room. The DDS\nhas also contacted the building owner and the Parent Agency facilities personnel\nto inquire about having a chain-link fence installed around the utility boxes in the\nmailroom. We will continue to work with the DDS until the motion detector and a\nchain-link fence are installed in Frankfort.\n\n8. Instruct the KY DDS to routinely test the Frankfort office\xe2\x80\x99s\n   uninterruptible power supply\nWe agree with this recommendation. KY has already implemented a policy to\nroutinely test the Frankfort Office\xe2\x80\x99s uninterruptible power supply. The DDS has\nmade arrangements to test the computer room UPS before the end of the first\nquarter of calendar year 2009. Plans are to perform the test once a quarter. No\nfurther action is necessary.\n\n9. Ensure KY DDS establishes a Security Plan, which meets SSA\n   requirements, for the Frankfort and Louisville offices\xe2\x80\x94this includes\n   developing Risk Assessment Plan\xe2\x80\x99s for each office\xe2\x80\x99s physical security\n   vulnerabilities.\nWe agree with this recommendation. KY has recently updated security plans in\nplace for both Frankfort and Louisville offices. DDS management have been\nreminded to develop risk assessments of their facilities (location, crime rate,\ncurrent security level, etc.), and they will comply. The KY DDS Security Officer is\ncurrently reviewing the security plans for both the Frankfort and Louisville offices\nto ensure that the plans meet SSA\xe2\x80\x99s requirements. The review will be completed\nbefore March 31, 2009. The DDS and SSA will continue to monitor these plans to\nensure compliance.\n\n\n\n\n                                        D-3\n\x0c10. Revise and/or clarify policy regarding DDS responsibility in obtaining\n    prior approvals and document retention for equipment rentals.\nWe agree with this recommendation. SSA has provided policy clarification to KY\nand the DDS will continue to follow SSA requirements to obtain prior approvals\nand retain proper document retention for equipment rentals. No further action is\nnecessary.\n11. Revise and/or clarify policy regarding DDS responsibility in obtaining\n    prior approvals and document retention for DDS staff travel to NADE\n    conferences.\nPOM policy is very clear on this issue; approval for DDS staff travel to NADE\nconferences must be obtained prior to travel. The KY DDS has always followed\nSSA\xe2\x80\x99s policy for obtaining approval; however, the DDS was unable to locate\ndocumentation of approvals. SSA discussed travel policy and document\nretention with Kentucky and they will comply. No further action is necessary.\n12. Establish policy that requires DDSs to review U.S. Department of Health\n    and Human Services, Office of Inspector General, List of Excluded\n    Individuals/Entities to determine whether medical consultants have\n    been sanctioned from participating in any Federal or Federally-assisted\n    program.\nWe agree with this recommendation. The DDS already has this policy in place.\nA DDS employee is already designated to complete this task. The employee\nprints the information off the OIG website and highlights the vendors for KY and\nthe surrounding states; then checks the DDS Vendor File to see if the vendors\nidentified/performed consultative exams or if they are a MER vendor. If any\nproblems are identified, then the problem is taken to the person who maintains\nthe vendor file to take appropriate action to remove the vendor. No further action\nis necessary.\nAlso, we believe KY-DDS should take steps to exclude the SSN from\ndocuments it sends to third parties.\n\nWe agree with this recommendation. The KY DDS implemented the policy to\nremove SSNs from documents sent to third parties in November, 2007. No\nfurther action is necessary.\n\nPlease direct any questions you may have to Josie Irwin at (404) 562-1407.\n\n\n                                         Paul D. Barnes\n\ncc:    Stephen C. Jones\n       Josie Irwin\n\n\n\n\n                                       D-4\n\x0c                                    Appendix E\n\nKentucky Cabinet for Health and Family\nServices Comments\n\x0c                                   CABINET FOR HEALTH AND FAMILY SERVICES\n                                     DEPARTMENT FOR INCOME SUPPORT\n                                                   PO Box 1000\nSteven L. Beshear                               Frankfort, KY 40602\n                                                                                                      Janie Miller\nGovernor                                          (502) 564-5028                                        Secretary\n                                                Fax: (502) 564-5035\n                                                  www.chfs.ky.gov\n\n\n                                              January 23, 2009\n\n\n        Ms. Kimberly Byrd\n        Director\n        Social Security Administration\n        Office of the Inspector General\n        Atlanta Audit Division \xe2\x80\x93 Birmingham\n        Office of Audit\n        1200 8th Avenue North, 8th floor\n        Birmingham, AL. 35285\n\n        Dear Ms. Byrd:\n\n               We appreciate the work that the Social Security Administration, Office of the Inspector\n        General, did in auditing the fiscal reporting and security controls of the Kentucky Cabinet for\n        Health and Family Services. We also appreciate the opportunity to comment on the findings and\n        the recommendations presented in your report of the Kentucky Disability Determinations\n        Services (KY DDS).\n\n                The Kentucky Cabinet for Health and Family Services is committed to following the\n        policies and regulations of the Social Security Administration. As noted in our response, we\n        agree with all of your findings and in most cases we have already put plans into place to\n        improve our controls.\n\n               Attached you will find our response to your findings. If you should have any questions\n        about our responses, please do not hesitate to call DDS Commissioner Stephen Jones at 502-\n        564-5028 or my office at 502-564-7042.\n\n                                                    Sincerely,\n\n\n                                                    Janie Miller\n                                                    Secretary\n\n        cc:   Patrick P. O\xe2\x80\x99Carroll, Jr\n              SSA Inspector General\n\n              Stephen Jones\n              Commissioner, Department for Income Support\n\n\n\n\nKentuckyUnbridledSpirit.com                                                      An Equal Opportunity Employer M/F/D\n                                                      E-1\n\x0c1) Instruct the Kentucky Disability Determination Services (KY DDS) to establish\nadequate internal controls over inventory to ensure that inventory records are reliable\nand maintained in accordance with Social Security Administration (SSA) policy.\n\nWe agree with the recommendation. After a records search, the KY DDS was able to locate\ninventory records for all but two of the computers. KY DDS review indicated that it is highly\nunlikely that any Personally Identifiable Information (PII) was actually compromised.\n\nThe KY DDS has implemented a new inventory control process to ensure that internal controls\nover inventory are reliable and maintained in accordance with SSA policy. The KY DDS has met\nwith Cabinet for Health and Family Services (CHFS) inventory employees to develop a process\nthat will improve inventory controls. The DDS has been given more direct control over inventory\nmanagement. In December 2008, the KY DDS created a team of 6 employees, led by an\nInventory Delegated Authority, who will manage all KY DDS inventory. These 6 employees\nhave each completed 2 state sponsored training classes on the state accounting system\n(eMars). The team is in the process of tagging and entering into eMars, all of the KY DDS\xe2\x80\x99s\nfixed assets.\n\n\n2) Work with KY DDS to timely reduce or eliminate the Louisville branch office\xe2\x80\x99s physical\nsecurity control weaknesses.\n\nWe agree with this recommendation. We have been provided with clarification on the SSA\nphysical security policy for preparing Risk Assessment Plans for all offices. Most of the\ninformation for the KY DDS Security Plan exists; however, it had not been put into the most\ncurrent format. The KY DDS Security Officer is reviewing current Security Plans to ensure that\nthey meet SSA\xe2\x80\x99s requirement, this action will be completed before March 31, 2009.\n\nWe have requested funding for security equipment that will address the Louisville DDS branch\noffice\xe2\x80\x99s physical security control weaknesses cited in the Office of the Inspector Generals (OIG)\nreport. Josie Irwin, the Kentucky Disability Program Administrator (DPA) has informed us that\nthe Atlanta Region has approved the request and forwarded it to the Office for Disability (OD)\nfor review and funding. The request includes a door access system for the entire office, an\nintrusion detection system, security cameras, and partition walls and doors. The total cost of\nthe project is estimated to be $35,875.\n\nThe KY DDS has instituted a clean-desk policy in the Louisville and Frankfort offices.\n\n\n3) Instruct KY DDS to change door codes at the Louisville office when staff with\nknowledge of the codes leaves or no longer has the need to know them.\n\nWe agree with this recommendation. In January, 2008, the KY DDS implemented a policy to\nchange door codes every quarter, or when someone is terminated. During 2008 the Louisville\nDDS branch office manager changed the door codes on a regular basis. Most recently the\ncodes were changed in January 2009. Funding has been requested to have a badge access\nsystem installed on all doors.\n\n\n\n\n                                                E-2\n\x0c4) Instruct the KY DDS to implement a clean desk policy at the Louisville branch office.\n\nWe agree with this recommendation. The KY DDS has implemented a clean desk policy at the\nFrankfort and Louisville offices.\n\n\n5) Instruct KY DDS to test the Frankfort offices IDS semi-annually\n\nWe agree with this recommendation. The KY DDS has implemented a policy to have office IDS\nequipment tested semi-annually. On January 12, 2009 a representative from the DDS\xe2\x80\x99s security\nvendor performed a test of all IDS equipment in the Frankfort office. This will be performed\nsemi-annually as recommended by OIG.\n\n\n6) Instruct the KY DDS to keep the Frankfort office\xe2\x80\x99s undistributed keys in a locked\ndrawer or cabinet.\n\nWe agree with this recommendation. The Kentucky DDS has implemented a policy to keep\nundistributed keys secure. The Kentucky DDS has organized all of the undistributed keys and\nthey are now kept in a locked cabinet in the Building Manager\xe2\x80\x99s office. The Building Manager\xe2\x80\x99s\noffice is locked when it is not occupied.\n\n\n7) Work with the KY DDS to enhance security controls for the Frankfort office\xe2\x80\x99s\ncomputer room and utility boxes.\n\nWe agree with this recommendation. The KY DDS has taken action to secure the Frankfort\ncomputer room and utility boxes. The KY DDS has requested funding for the installation of\nmotion detectors for the Frankfort computer room. The KY DDS has also contacted the building\nowner and the parent agency facilities personnel to inquire about having a chain-link fence\ninstalled around the utility boxes in the mailroom.\n\n\n8) Instruct the KY DDS to routinely test the Frankfort office\xe2\x80\x99s uninterruptible power\nsupply (UPS)\n\nWe agree with this recommendation. The KY DDS has implemented a policy to routinely test\nthe Frankfort Office\xe2\x80\x99s UPS. The KY DDS has made arrangements to test the computer room\nUPS before the end of the 1st quarter of calendar year 2009. Plans are to perform the test on a\nregular basis.\n\n\n9) Ensure KY DDS establishes a Security Plan, which meets SSA requirement, for the\nFrankfort and Louisville offices\xe2\x80\x94this includes developing Risk Assessment Plan\xe2\x80\x99s for\neach office\xe2\x80\x99s physical security vulnerabilities.\n\nWe agree with this recommendation. The Kentucky DDS Security Officer is reviewing the\ncurrent security plan for both Frankfort and Louisville to ensure that the plans meet SSA\xe2\x80\x99s\nrequirements; the review will be completed before March 31, 2009.\n\n\n\n\n                                                E-3\n\x0c10) Revise and/or clarify policy regarding DDS responsibility in obtaining prior approvals\nand document retention for equipment rentals.\nWe agree with this recommendation. The Kentucky Disability Program Administrator has\nprovided policy clarification to the KY DDS. The KY DDS will follow SSA requirements to obtain\nprior approvals and retain documents for equipment rentals.\n11) Revise and/or clarify policy regarding DDS responsibility in obtaining prior approvals\nand document retention for DDS staff travel to NADE conferences.\nWe agree with this recommendation. The KY DDS follows SSA\xe2\x80\x99s policy for obtaining approval;\nhowever, for the period involved in the audit, they were unable to locate documentation of\napprovals. SSA discussed travel policy and document retention with Kentucky. In the future,\nKentucky will retain travel authorization documents according to SSA policy.\n\n\n12) Establish policy that requires DDSs to review U.S. Department of Health and Human\nServices, Office of Inspector General, List of Excluded Individuals/Entities to determine\nwhether medical consultants have been sanctioned from participating in any Federal or\nFederally-assisted programs.\nThe KY DDS already has this policy in place. A KY DDS employee completes this task every\nmonth.\n\n\n\nOTHER MATTER:\nAlso, we believe KY-DDS should take steps to exclude the SSN from documents it sends\nto third parties.\n\nThe KY DDS implemented a policy to remove Social Security Numbers from documents sent to\n3rd parties in November 2007.\n\n\n\n\n                                              E-4\n\x0c                                                                     Appendix F\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Kimberly A. Byrd, Director, (205) 801-1650\n\n   Theresa Roberts, Audit Manager, (205) 801-1619\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Hollie Reeves, Senior Auditor\n\nFor additional copies of this report, please visit our web site at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Staff Assistant at (410) 965-4518. Refer to Common Identification Number\nA-08-08-18059.\n\x0c                           DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Committee on the Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Oversight and Government\nReform\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security Pensions\nand Family Policy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c                         Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations\n(OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations (OER), and Office of\nTechnology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality\nAssurance program.\n                                                  Office of Audit\nOA conducts financial and performance audits of the Social Security Administration\xe2\x80\x99s (SSA) programs and\noperations and makes recommendations to ensure program objectives are achieved effectively and efficiently.\nFinancial audits assess whether SSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of\noperations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s\nprograms and operations. OA also conducts short-term management reviews and program evaluations on issues\nof concern to SSA, Congress, and the general public.\n                                              Office of Investigations\nOI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations.\nThis includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing\ntheir official duties. This office serves as liaison to the Department of Justice on all matters relating to the\ninvestigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State,\nand local law enforcement agencies.\n                            Office of the Counsel to the Inspector General\nOCIG provides independent legal advice and counsel to the IG on various matters, including statutes,\nregulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and\ntechniques, as well as on legal implications and conclusions to be drawn from audit and investigative material.\nAlso, OCIG administers the Civil Monetary Penalty program.\n                                        Office of External Relations\nOER manages OIG\xe2\x80\x99s external and public affairs programs, and serves as the principal advisor on news releases\nand in providing information to the various news reporting services. OER develops OIG\xe2\x80\x99s media and public\ninformation policies, directs OIG\xe2\x80\x99s external and public affairs programs, and serves as the primary contact for\nthose seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal\nand external organizations, and responds to Congressional correspondence.\n                           Office of Technology and Resource Management\nOTRM supports OIG by providing information management and systems security. OTRM also coordinates\nOIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the\nfocal point for OIG\xe2\x80\x99s strategic planning function, and the development and monitoring of performance\nmeasures. In addition, OTRM receives and assigns for action allegations of criminal and administrative\nviolations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides\ntechnological assistance to investigations.\n\x0c'